Download Manager Plugin Vulnerability (CVE-2026-13733)

On this page

Security Alert Summary

The Download Manager plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the no_data_msg shortcode attribute. Insufficient input sanitization and output escaping allow authenticated users with contributor-level access or higher to inject script payloads that are rendered in pages and executed when those pages are viewed.

CVE Details

  • CVE ID: CVE-2026-13733
  • Affected component: Download Manager plugin (vendor: codename065)
  • Affected versions: All versions up to and including 3.3.60
  • Published: July 1, 2026 at 8:16:21 AM UTC
  • Last modified: July 1, 2026 at 1:56:17 PM UTC
  • CVSS v3.1: Base Score 6.4 (MEDIUM) – Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Vulnerability can be exploited by authenticated users with contributor-level access or higher. CVSS lists Privileges Required: LOW and User Interaction: NONE.
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • Weakness: CWE-79 (Cross-site Scripting)

Technical Details

This is a stored XSS vulnerability arising from insufficient sanitization and escaping of the no_data_msg shortcode attribute. The plugin applies wp_kses_post to post content on save, which strips certain HTML tokens but does not neutralize C-style escape sequences embedded inside shortcode attribute values. An attacker with contributor-level access can craft a shortcode attribute value that survives the kses filter and is reconstructed into a raw <script> tag at render time, causing script execution in the context of users who view the injected page.

The vulnerability stems from treating shortcode attribute values as safe after saving and not performing adequate escaping when rendering those values, allowing reconstruction of executable markup at display time.

How This Could Impact Your Website

In a typical scenario, a site owner allows multiple trusted users to contribute content. An external contractor or an internal staff member with contributor-level access could insert a malicious no_data_msg attribute value into a page or post. When other users visit that page, the injected script can execute in their browsers. Practical consequences include exposure of any information accessible to a visiting user’s browser (for example, visible profile or page data), and increased risk of targeted phishing if internal email addresses or user-visible information are collected or displayed.

This vulnerability does not, based on the provided data, indicate automatic full site takeover, but it can be used to perform targeted attacks against users who view compromised pages. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual behavior, new shortcode usage, or unexpected page edits.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References